IDA 


INSTITUTE  FOR  D  E  FE  N  S  E  A  N  A  L  Y  S  E  S 


NSD-5216 

A  Consistent  Approach  for  Security  Risk  Assessments  of  Dams  and 
Related  Critical  Infrastructure 

J.  Darrell  Morgeson 
Jason  A.  Deehant 
Yev  Kirpichevsky 

Yazmin  Seda-Sanabria,  U.S.  Anny  Corps  of  Engineers 
Enrique  E.  Matheu,  U.S.  Department  of  Homeland  Security 


June  2014 


Institute  for  Defense  Analyses 
4850  Mark  Center  Drive 
Alexandria.  Virginia  22311-1882 


Approved  for  public  release: 
distribution  is  unlimited. 

IDA  Log  No.  H  14-000689 


s 

The  Ins  Mule  lor  Defense  Analyses  Is  a  non-pro/ll  corporation  that  operates 
three  federally  funded  research  and  development  centers  to  provide  objective 
analyses  o I  national  security  issues,  particularly  those  requiring  scientific  and 
technical  expertise,  and  conduct  related  research  on  other  national  challenges. 


IDA 


About  This  Publication 

The  vie«*.  opinions,  and  findings  should  not  be  construed  as  representing  the 
official  position  of  either  the  Department  of  Defense  or  the  sponsoring  organixaUcn. 

Copyright  Notice 

©  2014  Institute  for  Defense  Amffses 

4850  Mark  Center  Owe.  Aieundria.  Virgirw  22311-1832  •  (703 )  845-2000. 


NSD-5216 


A  Consistent  Approach  for  Security  Risk  Assessments  of  Dams  and 
Related  Critical  Infrastructure 

J.  Darrell  Morgeson 
Jason  A.  Dechant 
Ycv  Kirpichevsky 

Yazmin  Seda-Sanabria,  U.S.  Army  Corps  of  Engineers 
Enrique  E.  Matheu,  U.S.  Department  of  Homeland  Security 


June  2014 


A  Consistent  Approach  for  Security  Risk  Assessments  of  Dams  and  Related 
Critical  Infrastructure 


James  D.  Moigeson  .  Yazmin  Seda-Sanabria',  Yevgeniy  Kiipiehevsky'.  Jason  A.  Deehanl*,  and  Enrique  E.  Mailreu 
‘  Institute  for  Defense  Analyses.  Alexandria.  I A  22311,  USA.  jmorgeio@lda.arn 

‘  Office  of Homeland  Security,  Directorate  of  Civil  Works,  U.  S.  Army  Corps  of  Engineers.  Washington.  DC  203 1 4 . 
USA .  Yaimin.Seda ~SanabriQ@usaee.army. mil 

s  Institute  for  Defense  Analyses,  Alexandria .  VA  2231 1 .  USA.  ykJrplch@fda.org 
4  Institute  for  Defense  Analyses,  Alexandria,  VA  2231 1.  USAJdechani@lda.org 
Sector  Outreach  and  Programs  Division.  Office  of  Infrastructure  Protection,  National  Protection  and  Programs 
Directorate.  U.S Department  of  Homeland  Security.  Washington.  IX'  20598,  USA.  Enrique.Matheu@hq.tfhs.gov 


ABSTRACT:  The  Common  Risk  Model  lor  Dams  (CRM-D).  developed  »  a  result  of  collaboration  between  the  U.S.  Army 
Corps  of  Engineers  and  the  U.S.  Dcfxirtmcnt  of  Homeland  Somrity.  is  a  consistent,  mathematically  rigorous,  and  easy  to 
implement  methodology  for  security  nsk  assessment  of  dams,  navigation  kicks,  hydropower  projects,  and  similar  infrastructures. 
The  m^hodokigy  provides  a  systematic  approarh  for  evaluating  and  comparing  security  risks  across  a  large  portfolio.  Risk  is 
calculated  for  an  attack  scenario  la  specific  adversary  using  a  specific  attack  vector  against  a  specific  target)  by  combining 
consequence,  vulnerability,  and  threat  estimates  in  a  way  that  properly  accounts  for  the  relationships  among  these  variables.  The 
CRM -I)  can  etTectively  quantify  the  hmefits  of  implementing  a  particular  risk  mitigation  strategy  and.  consequently,  enable 
retum-on-inveslment  analyses  for  multiple  mitigation  alternatives  acTow  a  large  portfolio.  Recently,  refinements  have  been  made 
to  the  methodology  to  characterize  the  complexities  of  the  adversary  threat  and  the  ability  to  interdict  their  actions.  When  first 
devekiped.  CRM-D  focused  on  a  highly  capable  international  terrorist.  Recently,  it  has  been  extended  to  include  additional 
adversary  types  distinguished  by  a  wide-range  of  capabilities.  In  addition,  the  methodology  lias  been  extended  beyond  target 
defenses  to  consider  the  role  of  local  and  national  ifcfcnses  in  mitigating  risk  to  manmade  threats.  A  melhodokigy  for 
characterizing  these  defenses  was  devekiped  as  well  as  expert  estimates  for  the  probability  an  adversary  could  penetrate  them. 
This  comprehensive  methodology  provides  a  rigorous  way  to  consider  nsks  to  dams  across  a  large  portfolio  and  is  extensible  to 
other  types  of  critical  infrastructures.  This  paper  discusses  various  features  of  the  CRM-D  methodology  as  well  as  findings  and 
lessons  learned  resulting  from  its  implementation. 

Keyword*  Vulnerability.  Threat.  C  onditional  Risk.  Portfolio  Risk 

1.  INTRODUCTION 

The  Common  Risk  Model  for  Dams  (CRM-D)  nirthodokigy  integrates  outputs  from  three  separate  models:  comeqixneev. 
vulnerability,  and  threat.  Modelling  is  a  natural  choice  to  estimate  outcomes  of  complex  physical  and  economic  processes,  such 
as  consoqucnccs  from  attack,  but  it  is  equally  important  for  estimating  vulnerability  and  threat—  variables  that  require  more 
subjective  input  from  subject  matter  expats  (SME).  It  is  prohib it ively  costly  and  tin*:  consuming  to  elicit  expert  judgments  on 
vulnerability  and  threat  for  every  scenario  and  to  repeat  the  elicitation  process  every  time  a  new  scenario  is  introduced  or  old 
scenarios  are  modified.  Therefore,  noddling  expert  judgement  is  crucial  when  developing  risk  estimates  to  support  return  on 
investment  tROI)  analyse*.  because  the  impact  of  potential  risk  mitigation  alternatives  needs  to  be  assessed  quickly. 

The  vulnerability  and  threat  models  are  based  on  data  elicited  in  a  way  that  makes  it  possible  to  apply  elicited  SME  judgment  to 
any  set  of  attack  scenarios.  The  elicitations  were  conducted  to  estimate  risk  from  an  attack  by  a  highly  capable,  transnational 
adversary  groups.  Elicitations  m  support  of  estimating  risk  from  other  tyjsrs  of  adversaries  are  currently  under  development. 
Because  the  adversaries’  capabilities  and  or  intent  are  likely  to  change  with  time,  elicitations  should  be  repeated  every  few  jears 
or  as  deemed  appropriate. 

2.  CRM-D  OVERVIEW 

CRM-D  incorporates  commonly  used  risk  metrics  that  arc  designed  to  be  transparent,  simple,  and  mathematically  justifiable.  The 
model  also  enables  comparisons  of  calculated  nsks  to  assets  and  systems  within  and  across  cntical  infrastructure  sectors. 

The  model  /methodology  take  into  account  the  unique  features  of  dams  and  navigation  lixks  and  provide  a  systematic  approach 
for  evaluating  and  comparing  risks  from  adaptive  threats  across  a  large  portfolio. 


: 


Al  the  most  basic  level  of  analy*is.  risk  is  estimated  for  an  attark  scenario,  which  is  defined  as  (11  a  specific  adversary  (e.g..  a 
highly- capable  transnational  terrorist  group).  (2)  attacking  a  specific  target  (e.g..  the  main  impoundment  structure  of  a  specific 
dam),  and  (3)  using  a  specific  attack  vector  (e.g..  a  cargo  van  loaded  with  explosives).  Risk  is  defined  as  "expected  of  lots' \ 
which  is  a  function  of  three  variables:  threat  <T).  vulnerability  (V).  and  consequences  <C): 

R-/(T.V,C)  (1) 


Threat  is  defined  as  the  probability  of  an  attack  scenario  being  attempted  by  the  adversary,  given  the  attack  on  one  of  the  targets 
in  the  portfolio  under  assessment,  or  P(A);  vulnerability—  as  the  probability  of  defeating  the  target’s  defenses,  given  that  the 
attack  is  attempted,  or  P(S|Ak  and  consequences-  -  as  the  expected  consequences  of  the  attack,  given  that  the  target’s  defense*  arc 
defeated.  (\  Because  of  how  CRM-D  estimates  these  three  variables,  it  is  expropriate  to  calculate  risk  as  their  product 

R-P(A>.P<S|A|.C'  (2> 

CRM-D  also  defines  “conditional  risk."  or  R<-.  as  risk  for  the  attack  scenario,  given  that  this  scenario  is  chosen:* 


R<  -  P(S[A)  x  C 


<3) 


The  consequence  and  risk  metrics  currently  considered  in  the  CRM-D  are  low  of  life  and  total  economic  impacts.  The  sum  of  all 
the  risks  for  all  the  attack  scenarios  under  consideration  is  termed  "portfolio  risk.  "  Minimising  portfolio  risk  subject  to  available 
resources  is  often  the  focus  of  risk  managers. 

3.  VULNERABILITY 

CRM-D  uses  a  layered  defense  model  to  evaluate  the  vulnerability  of  a  target  to  a  specific  attark  by  a  specific  adversary.  The 
defensive  layers  protecting  a  given  target  could  potentially  include  national  defenses  (e.g.,  national  counter-terrorism  activities), 
lornl  defenses  (e.g..  local  law  enforcement  capabilities  to  detect  and  respond  to  potential  attacks),  and  target  defenses  (e.g..  onsite 
security  systems  and  protective  measures).  The  methodology  for  producing  vulnerability  estimates  that  account  for  target 
defensive  layers  is  described  in  detail  in  Seda-Sanabna  ct  al.  (2011). 

An  attack  is  considered  “successful"  if  every  defensive  layer  b  breached  and  the  attack  reaches  the  target.  Therefore,  for  the 
conceptual  attack  scenario  shown  in  figure  1.  P(SjA)  can  be  determined  using  the  following  expression: 

P<S|A)  -  P(S)A)11  •  P(S|A)LJL|  ■  PIS^A),^,,  u  (4> 

where  P(S[A)n  i*  *he  prcbability  of  successfully  breaching  the  first  layer  given  the  spxific  attacker  under  consideration  attempts 
this  attack.  P(SlA)l^l ,  is  the  conditional  probability  of  successfully  breaching  the  second  layer  given  that  the  attacker  has 
successfully  breached  the  first  layer,  and  P<S|AK.»i.i  i:  b  the  conditional  probability  of  succewfully  breaching  the  third  layer 
given  that  the  attacker  has  breached  the  first  and  the  second  layers. 


The  functional  relationships  among  the  variable*  are  accounted  for  by  estimating  Pi  A)  as  a  function  of  the  other  two  variables, 
but  there  is  no  slorhastic  relationship  because  P(S|Al  and  expected  consequences  are  estmuted  as  point  values,  and  not  random 
variables.  This  justifies  the  use  of  the  product  functKin  (Cox.  200K). 

Note  that  the  nsk  me  Inc  in  liquation  2  is  also  conditional — on  the  attack  within  a  portfolio  under  asscssmmt.  The  “conditional 
risk"  metric  is  further  conditioned  on  the  particular  attack  being  chosen. 


P<S|A)^LtL2 

Pnitiablty  erf  su^ussfuty  breaching 
the  tins  toyor  gven  Hal  rfw  attacker  has  sucowafuly 
trashed  Ho  fnz  am!  the  seccxrJ  krynrc 


P(S|AK.2IL! 

Ptchobliy  af  sur.ci»shJy  br  earning 
trw  accrrt  byer  gr/en  that  the  alackcr  riaa 
successful**  tmaKbod  Ho  first  tayv 

P<S|A)l! 

Prdatofty  at  Bucceoftily  treachng 
He  first  byer  gr.on  tha!  He  stacker  aRempte 

tie  attack 


Fig.  I :  Conceptual  Model  of  Layered  Deferwe* 

Each  layer  is  defined  by  its  defensive  attribute*  For  a  natxtnnl  defensive  byer.  these  can  be  the  chariKlcnstie*  of  relevant 
programs  and  activities  implemented  at  the  national  scale,  such  as  the  security  screening  conducted  at  airport*;  for  a  local 
defensive  byer.  tlur.se  can  be  the  level  of  participation  by  local  bw  enforcement  agencies  m  intelligence  information  sharing  and 
their  prevention1  response  capabilities;  and  for  the  target  defensive  layer*,  these  can  be  the  characteristic*  of  site  security  measure 
such  as  vehicle  barrier*,  access  control  system*,  security  force,  etc. 

There  arc  a  relatively  small  numhrr  of  combination*  of  defensive  attribute*  that  are  typically  implemented  a*  target  intensive 
layers  at  dams  and  related  facilities.  These  commonly  employed  configurations  are  called  layer  defensive  configurations  or 
LDCs.  liccautc  of  the  small  number  of  LDCs.  it  i*  feasible  to  elicit  pmbabilitic*  of  *uece*s  for  each  reference  attack  vector 
agamvt  each  LDC  for  each  type  of  attacker  under  contxlcratum  The  vulnerability  estimate  for  a  given  LD C  reflect*  SME 
judgments  alxiut  how  well  the  defensive  attribute*  of  tint  LDC  would  perform  against  a  particular  attacker  using  a  particular 
attack  vector,  based  ixi  the  attacker's  capabilities  and  intent  and  the  attack  vector's  characteristic* 

Probabilities  of  success  against  individual  LDCs  are  combined  into  a  P|S|AI  for  a  scenario  as  shown  in  Equation  4.  The 
preftability  of  success  agau»t  a  byer  is  conditximd  on  which  byers  have  already  been  breached,  since  some  layers  can  degrade 
attackers'  capabilities  m  various  wavs.  Further.  PfS[A)  incorporates  the  possibility  that  some  byer*  mayor  may  not  h: 
encountered  fe.g..  response  forces  may  or  may  not  arrive  in  tinx:  to  engage  the  adversary  before  the  attack  succeeds!  The  process 
for  c*n  nut  mg  PlSJA)  in  light  of  these  factor*  is  discussed  in  detail  in  Margesnn  et  al  (2013). 

4.  THREAT 

Modelling  threat  from  giuborienled.  adaptive  adversaries  i*  fundamentally  different  from  meddling  potential  hazards  associated 
with  forces  of  nature  Adversaries  evaluate  potential  attacks  based  on  criteria  that  are  important  to  them  and  then  choose  the 
attack  that  acnmls  best  with  their  objectives.  When  the  adversary  decision  criteria  change,  their  choice  may  change  as  well. 
Unlike  consequence  or  vulnerability  estimates,  a  threat  estimate  tor  an  attack  scenario  depend*  not  only  on  the  characteristics  of 
ilia!  scenario,  but  on  the  cliaractcn.stsci  of  all  attack  scenarios  that  the  adversary  is  chixising  from. 

To  account  for  these  concepts,  the  CRM  D  includes  a  Probabilistic  Ad\erstuy  Dec  it  ion  .1  /odd  tPADM.i,  which  is  composed  of 
two  vuh  nwdel*:  the  Advertary  Value  3/m/W<AVM>  and  the  Attack  Choice  Madei  (ACM).  The  decHton  model  is  probahihstie 
because  no  aspect  of  the  adversary's  future  decision  process  can  lx:  known  with  certainty. 

4 *  /  Adversary  I  alue  Model 

Tlus  model  quantifies  expert  judgment  alxiut  how  adversaries  evaluate  the  rebtive  attraclivencss  of  attack  scenario*  based  on 
scenario  characteristics  that  the  adversary  i*  likely  to  take  into  account.  These  features,  related  to  tlie  adversary  capabilities  and 
intent,  rcllrcl  the  various  c\|wicd  hmcfits,  costs,  and  risks  associated  with  each  attack  scenario.  The  AVM  also  quantifies  the 
underlying  uncertainty  about  the  value  system,  which  stems  from  the  differences  of  cpimoo  among  expert*  and  the  uncertainly  of 
each  individual  expert  about  the  attacker  value  system 
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4.2  Attack  Choice  Model 


Thu  model  u«x  the  estimated  adversary  value  system  to  calculate  P(  ,\)  for  any  set  of  attack  scenarios  arxl  to  perform  ROl 
analyses  for  risk  mitigation  alternatives.  To  enable  Pf  A)  calculation.  attark  scenanos  in  the  portfolio  need  to  h:  formulated  in 
terms  that  tic  AVM  can  accommodate.  This  involves  using  the  CRM-D  consequence  and  vulnerability  models  to  estimate  the 
values  for  loss  of  life,  total  economic  impacts,  and  the  probabilities  of  defeating  the  national local  and  target  defenses  foe  every 
scenano  in  the  portfolio.  These  variables  are  used  as  proxies  for  the  adversary  prre options  of  these  variables. 

5.  ADDED  VALUE  FOR  THE  POST  2015  FRAMEWORK  FOR  DISASTER  RISK  REDUCTION 

The  2005  World  Conference  on  Disaster  Reduction  (Ilyogo.  Japan),  which  gave  rise  to  the  “Ilyogo  f  ramework  for  Action  2005 - 
2015".  promoted  a  strategic  and  systemic  approach  to  reducing  vulnerabilities  and  risks  to  hazards  both  natural  and  nun-made. 
It  established  live  priorities,  four  of  which  the  C‘RM*D  directly  or  indirectly  addrews:  (1)  ensure  that  disaster  risk  reduction  is  a 
natimal  and  local  priority  with  a  strung  institutional  basis  for  implementation:  (2)  identify,  assess  and  monitor  disaster  risks  and 
enhance  early  warning:  (3)  use  knowledge,  innovation  and  education  to  build  a  culture  ofafiHy  and  resilience  at  all  levels;  and 
<41  reduce  underlying,  risk  factors.  CRM-D  accomplishes  this  by  providing  a  framework  that  con  be  implemented  locally  at  each 
dam  to  address  security  concerns,  and  nationally  using  the  risk  results  from  individual  dams  to  conduct  dam  portfolio  analyses, 
furthermore,  the  CRM-D  framework  can  be  implemented  across  sectors.  It  provides  the  ability  to  monitor  and  assess  risks  and 
uses  the  information  obtained  to  implement  risk  mitigation  options  that  reduce  the  underlying  risks.  CRM-D  also  supports  the 
Ilyogo  framework  goal  of  creating  and  strengthening  nationally  integrated  disaster  risk  reduction  mechanisms  among  federated 
sectors  or  involving  national  systems  that  owned  and  oprrated  by  a  diverse  set  of  stakeholders. 

6.  CONCLUSIONS 

The  Common  Risk  Model  for  Dams  (CRM-D)  is  a  consistent,  nuthcnutically  rigorous,  and  easy  to  implement  nwthod  for 
security  risk  assessment  of  dams,  navigation  locks,  hydropower  projects,  and  similar  infrastructures.  This  methodology,  the 
implementation  of  which  represents  collaborative  efforts  between  the  U.S.  Army  Corps  of  Engineers  and  the  U.S.  Department  of 
Homeland  Security,  provides  a  systematic  approach  for  evaluating  and  comparing  security  risks  across  a  large  portfolio. 

Ride  is  calculated  lor  attack  scenarios  as  a  (unction  of  consequences,  vulnerability,  and  threat.  Vulnerability  estimates  are  elicited 
as  probabilities  of  succe»ful  attacks.  The  elicited  estimates  eon  then  h:  used  to  estimate  the  vulnerability  of  a  target  protected  by 
any  combination  of  the  generic  security  configurations  against  any  of  the  reference  attack  vectors  for  the  adversary  groups  under 
consideration.  The  CRM-D  also  incorporates  a  probabilistic  adversary  decision  model  to  estimate  the  probability  of  each  attack 
scenano  in  the  set  given  that  one  of  the  scenarios  in  the  set  is  attempted.  The  CRM-D  can  effectively  quantify  the  benefits  of 
implementing  a  particular  risk  mitigation  strategy  and.  consequently,  enable  retum-on-mwstment  analyses  for  multiple  risk 
mitigation  alternatives  across  a  large  portfolio. 
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